In the past couple of weeks, I’ve revamped my local network and how it’s tied together. I’ll document the steps here on the site. There are a number of pieces that were added to what I’ve described before.
One of the goals was to separate out some of the more security critical pieces from machines that provide services either available on the local network, or providing services on the internet. Security was one of the things that i didn’t like about how it was set up previously. Also, it was hacked together more than i would have liked.
Here are some of the pieces and I’ll describe each of them in later posts.
DNS or Domain Name System, in addition to other things, associates domain names and other information with ip addresses. This allows translation of computer names to their appropriate address so that they can be located on a local network, or on the internet. It also provides information for other services such as email routing, and kerberos servers
- Kerberos authentication:
Kerberos is an authentication protocol that works on the principal that a third party will verify the authenticity of a client and server to each other in a secure and encrypted manner.
- LDAP directory:
LDAP is a directory which stores the account information and determines authorization to different services. It is general purpose, and can also store other information for dissemination to machines on our network. It will provide information about users and group accounts among other information.
- Network Accounts: Our directory will need to be populated with the proper network account information.
- Client configuration: Our machines will need to be configured to access the proper servers for both Linux and OSX. Also, client machines are configured to load networked directories based on autofs maps in our LDAP directory.
- Kerberized SSH: Once we have the accounts configured we can use enable kerberized SSH to allow for remote access to servers using our kerberos tickets to connect. This allows us to connect without having to always enter a password or provide a public key, but rather use our tickets to authenticate us.
- Kerberized Postfix MTA: I’m using the kerberos authentication to allow for submission of mail for delivery by my mail clients.
Some notes about the setup. I’ve moved the more – what I would call – critical services to their own machine. For this I’m using a very lightweight machine. A Zotac ZBOX nano AD11.
For what I’m thinking of using it for, it’s perfect. It takes up almost no space and I’m planning on having the machine on all of the time, but not being used all of the time. Also, I’m not planning on using it for anything that would be considered a heavy load. It has a tested power consumption of 11W at idle, and that’s the main thing that I’m looking for. And its really quiet, despite what the reviews say. It has 64GB of disk and built in gigabit Ethernet which is fast and easy.